Creating / Changing a Spam Scanning Definition

Document created by user.oxriBaJeN4 Employee on Sep 12, 2015Last modified by user.oxriBaJeN4 Employee on Dec 20, 2016
Version 6Show Document
  • View in full screen mode

As part of the inbound email security checks, Mimecast uses multiple content based heuristic scanning engines. These examine the content of emails and look for key phrases and other identifiers commonly used by spammers. These include content-matching rules, and also DNS-based, checksum-based and statistical filtering definitions.


The aim of Mimecast's initial layers of defense is to reject unwanted spam and malware emails in protocol. However, there are occasions where Mimecast cannot determine if an email is wanted by the end user of not, such as promotional notifications, newsletters or advertisements. The Mimecast Administrator can then configure spam scanning to check the content of all inbound emails. Spam scanning can be configured to apply to different levels of sensitivity and actions, should the Policy be triggered.


If an email address, domain name or IP address is added as a Permitted Sender, either on the customer account or globally, the inbound email will always bypass these content based spam checks (but virus scanning will still apply).

An email with a spam score of 28 or higher, is automatically rejected in protocol and logged in the Rejection Viewer. This is regardless of what the Spam Scanning definition action is set to. Even if there are no Spam Scanning policies configured, this will still happen.



To create or change a definition you must:

  • Be logged on to the Mimecast Administration Console.
  • Have access to the relevant Gateway menu item for the definition being created or changed.


Creating / Changing a Spam Scanning Definition


To create / change a spam scanning definition:

  1. Open the Gateway Policy Editor.
  2. Select the Definitions drop down. A list of the definition types is displayed.
  3. Select the Scan Definitions definition type from the list. The list of definitions is displayed.
  4. Select a folder in the Navigator. A Scan Scanning definition cannot be created in the Root folder.
  5. Either select the:
    • Policy to be changed.
    • New Message Scan Definition button to create a definition.
  6. Complete the Spam Scanning Sessions section section as follows:

    DescriptionEnter a description for the definition.
    Spam Detection Level

    Specify the level of spam detection to be used by selecting one of the following:

    • Relaxed: Sets the triggering threshold of the spam definitions to 7 points. This setting is recommended for users that receive some junk email.
    • Moderate: Sets the triggering threshold of the spam definitions to 5 points. This setting is recommended for users that are actively targeted by promotional and junk emails.
    • Aggressive: Sets the triggering threshold of the spam definitions to 3 points. This setting is recommended for users who do not want to receive any possible spam or junk emails.
    Mimecast recommends that the Administrator starts with a Relaxed level, and then adjusts it accordingly depending on the results and feedback from end users.  Mimecast also recommends that the Moderate and Aggressive Spam Detection levels be applied to selected groups of users that still receive spam, as opposed to applying Aggressive checks to all internal users.  This will help to reduce false positives generated in the Hold Queue.
    Spam Detection Action

    Specify the action to be taken if spam is detected, by selecting one of the following:

    Tag headers: Does not affect the delivery of the email, but inserts a"X-Mimecast-Spam-Signature: yes" tag into the headers of the email message. The tags are analyzed by the Mimecast Security team, and the data is used to augment the Scan Definitions in Mimecast. Alternatively, a rule can also be configured in Outlook to move any emails with the tag in the header or another folder for review by the end user.

    Hold for review: This is the recommended option, as the email delivery will be halted in the Held queue. The Digest can be utilized to inform the user of messages on Hold, at which point the email can be released or blocked.

    Reject to sender: The email is rejected in protocol, and the content of the email is not retained by Mimecast. Should the sender be legitimate, they will need to re-transmit the email message, once the Spam checks have been bypassed.

    None: The "None" spam action supports customers who are applying their own spam filtering upstream, but want to take advantage of our Graymail filtering independently of spam filtering. If this option is selected, no action will be taken on spam messages.

    Enable Graymail ControlEnable this option to allow bulk mail to be treated differently to regular mail. Graymail is typically defined as "mail you want, but just not in your Inbox right now". Examples are newsletters and marketing mails which have been subscribed to, but which are not person-to-person email communication. Actions for Graymail control are defined using the Graymail Detection Action setting.
    Graymail Detection Action

    Enables you to select a different action for Graymail Control:

    • Same as Spam Detection Action: Bulk mail is treated as per the spam handling configuration options above. This is the default action.
    • Tag Headers as Spam: Adds the following SMTP header to Graymails, so they are treated as spam - X-Mimecast-Spam-Signature: yes
    • Tag Headers as Bulk: Adds the following SMTP header to Graymails - X-Mimecast-Bulk-Signature: yes
      With this header enabled, users can define a rule in their email client to take action on Graymail. For example, if a folder called "Graymaill" is created under the Inbox, a message rule in the email client can be configured to automatically move messages into this folder. This removes email noise from the Inbox and allows the user to browse the bulk mail in their own time. End users can prevent mails from being classified as graymail by adding senders to their Managed Senders list using Mimecast for Outlook or another Mimecast app.
    • Hold for Review: Graymail will be placed in a hold queue. The Mimecast Digest email will inform the user of messages on hold and will allow the Graymail to be released or blocked.
    • Reject to Sender: The email is rejected in protocol, and the content of the email is not retained by Mimecast. Should the sender be legitimate, they will need to retransmit the email message once the Spam checks have been bypassed. If a mail is classified as both spam and graymail and both the Spam Detection Action and Graymail Detection Action can be logically applied, then both actions will trigger. If this is not possible, the more severe action will take priority. If you are using an external third-party email marketing service to send marketing emails on behalf of your domain, these emails may be identified as graymail as they pass inbound through the Mimecast Gateway.
  7. Complete the Hold Notification section section as follows:

    Hold Type

    Select the applicable audience that the emails which are held should be visible to via Mimecast Personal Portal, Mimecast Mobile, and Mimecast for Outlook:

    • User: Emails held by the Policy are available in the user's Personal On Hold view (default setting).
    • Moderator: Moderators can see the held emails in Moderated On Hold.
    • Administrator: Only Administrators can view emails triggered by the Policy.
    Moderator Group

    This field is displayed if the Hold Type filed is set to Moderator or User. The field is used to select an appropriate Group by selecting the Lookup button.

    Notification Options

    Select if any additional notifications should be sent. For any email where the attachment is stripped, the recipient will receive the notification discussed previously:

    • A group of users.
    • Select the relevant checkbox Notify (Internal) Sender or Notify (Internal) Recipient to enable internal senders or recipients to receive a notification for any attachments that match the definition.
    • Select the relevant checkboxes to notify external senders or recipients by usingNotify (External) Sender or Notify (External) Recipient.
    • A group of Overseers.
  8. Select the Save and Exit button.
2 people found this helpful